The Personal Data Protection Bill was tabled in the Lok Sabha in December following much anticipation and debate.
The tabled Bill significantly differs from the one proposed by the Justice Srikrishna Committee, especially when it comes to provisions relating to governmental access to citizens’ data, with (retd) Justice Srikrishna going so far as to call it ‘dangerous’ and capable of creating ‘an Orwellian state’.
What has gone under the radar, perhaps, amidst this is the implications of the ‘social media intermediary’ construct that the Bill introduces, and the proposal to require certain social media platforms to provide users the option to voluntarily verify their accounts.
Section 26 defines ‘social media intermediary’ as a service that facilitates online interaction between two or more ‘users’ and allows users to disseminate media. While e-commerce, internet service providers, search engines, and email services are explicitly excluded from the definition, this term is broad enough to cover messaging services like WhatsApp, Telegram and Signal.
The Bill further provides for certain social media intermediaries to be designated as ‘significant data fiduciaries.’
Apart from the generic obligations that the Bill proposes for significant data fiduciaries, Section 28(3) requires these designated entities to provide users with an account verification mechanism.
Scope and permissibility
Clearly, the intended effect of the provisions is outside the ambit of what we generally understand by ‘data protection.’ Perhaps the drafters also recognised this, and therefore awkwardly included ‘laying down norms for social media intermediaries’ in the preamble.
The fundamental issue here is that the obligation conflicts with a core tenet of similar legislation globally that has been emphasised in the Bill as well: data minimisation, i.e. the principle that organisations should not collect more information than needed to fulfill their purpose. The verification requirement is essentially a State diktat coercing social media companies into collecting more information about their users than is necessary.
Another way to look at the provision is as a move to indirectly expand the amount of information available to the government. Interestingly, the intention behind Section 28(3) is not mentioned in the Bill or its Statement of Objects and Reasons. The legitimate aim required to justify privacy infringements by the State as laid down in Puttaswamy v. Union of India has not been sufficiently clarified in the case of this provision.
Therefore, this provision could very well flounder on being subjected to constitutional scrutiny.
Excessive delegation: Is the devil in the detail?
Another striking feature of the provisions is that several important decisions are left to the executive. The Bill gives the Centre the power to designate certain social media intermediaries as ‘significant data fiduciaries’ if they have with users higher than notified thresholds, whose ‘actions have, or are likely to have a significant impact on electoral democracy, security of the State, public order or the sovereignty and integrity of India’.
We can contrast this with the fact that the general power to classify entities as significant data fiduciaries lies with the Data Protection Authority (DPA). However, when it comes to social media intermediaries, the DPA is reduced to a paper tiger, with only consultation (and not even concurrence) being sought from the DPA.
This concentration of power in the hands of the government should be viewed in conjunction with the obvious conflict of interest created by the Bill: the government would be incentivised to designate platforms which attract dissenting speech, thereby increasing their obligations and concomitant costs.
The classification criterion is also problematic as ‘significant impact on electoral democracy’ is a subjective standard. Such powers could be a case of excessive delegation to the executive, possibly having an arbitrary impact on all growing social media platforms. Given this ambiguity, social media platforms may be incentivised to err on the side of caution and to apply harsher content moderation practices to police dissenting speech.
‘Voluntary’ verification of users
The Bill requires intermediaries to extend to users the option to verify their accounts, and verified accounts are to be provided a mark that shall be visible to all users. The manner in which platforms are supposed to facilitate this verification is yet another critical matter that is left to delegated legislation. If the history of Aadhaar is any indication, such delegation may result in rules that compromise the stated ‘voluntary’ nature of the provision.
Even if left truly voluntary, this obligation may have an adverse impact on the exercise of freedom of expression online. Almost all leading social media platforms rely on user insights to drive personalised advertisement services that generate most of their revenue. These platforms have normalised private-actor surveillance of human behaviour, and seek to collect as much information as possible about users and non-users alike.
For instance, despite criticism, Facebook has a ‘real name’ policy, going as far as collecting information from users’ friends and third-parties to verify the ‘real’ identities of its users. Therefore, platforms like Facebook may incentivise the verification of accounts by increasing the visibility and reach of content created by ‘verified’ accounts, thereby eroding the legitimacy of pseudonymous expression.
The proposal is in sharp contrast with EU’s General Data Protection Regulation, which has led to rulings in Germany that Facebook’s ‘real name’ policy violates the law. The primary motivation of data protection legislation is to limit the personal and social harms that arise out of such indiscriminate collection of information. Unfortunately, instead of mitigating these, the Bill may very well end up entrenching these harms.
It is also relevant to note that the intermediary guidelines proposed by the MeitY were criticised for placing onerous requirements on ‘intermediaries’, a term in the Information Technology (IT) Act that remains a Procrustean bed for almost all internet services. Since the IT Act does not provide a separate definition of ‘social media intermediary’ and only defines an ‘intermediary’, the inclusion of the provision in the Bill may be a more convenient, albeit misplaced, effort to classify intermediaries and subsequently carve out specific obligations.
However, as we point out, this classification is outside the scope of the PDP Bill and would be better suited in the IT Act. The proposed provisions lack a clear and legitimate aim that is sought to be achieved from user account verification, and an excessive delegation of powers to the executive.
The provisions also need to be looked at in conjunction with Section 35 of the Bill, which empowers the Central government to exempt any government agency from obligations relating to processing of personal data in the interest of security of the State where necessary.
This provision marks a significant dilution of the Bill proposed by the Srikrishna Committee, which clearly incorporated the Supreme Court’s ruling in Puttaswamy v. Union of India: any invasion into privacy by the government must be authorised by law, be necessary for a legitimate state purpose and be proportional to the said goal. If the Bill is passed in its current form, exempted law enforcement and intelligence agencies would be able to demand data from social media intermediaries, including information on the ‘real identity’ of users, with little safeguards.
Unfortunately, it seems that several provisions of the Bill, including the schema relating to social media platforms, seek to legitimise disproportionate forms of state surveillance rather than curbing the power of the government to invade citizens’ privacy.
Tanaya Rajwade and Gurshabad Grover are researchers at the Centre for Internet and Society (CIS). Views are the authors’ alone.
Disclosure: The CIS is a recipient of research grants from Facebook.